[Outages-discussion] paypal.com certificate revoked?
William Kern
wkern at pixelgate.net
Fri Oct 14 19:18:54 EDT 2022
yes, I was wondering about that. If you 0wned paypal.com but not
www.paypal.com you could redirect them somewhere nasty.
Paypal actually has two redirects on the site.
http://paypal.com goes to https://paypal.com (which then goes to
https://www.paypal.com)
$ curl -I http://paypal.com
HTTP/1.1 301 Moved Permanently
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: https://paypal.com/
so that may play a role.
On 10/14/22 4:00 PM, Chuck Anderson via Outages-discussion wrote:
> If what you say is true, that seems like a very bad security hole in
> the other browsers.
>
> On Fri, Oct 14, 2022 at 03:42:17PM -0700, William Kern via Outages wrote:
>> ok, paypal.com 302s to www.paypal.com
>>
>>
>> # curl -I https://paypal.com
>> HTTP/1.1 302 Moved Temporarily
>> Content-Type: text/html
>> Content-Length: 161
>> Connection: keep-alive
>> Location: https://www.paypal.com/
>> Strict-Transport-Security: max-age=31536000; includeSubDomains
>>
>> So firefox must be checking the cert first before the redirect.
>>
>> But other browsers may be processing the 302 THEN checking and seeing
>> the valid www.paypal.com
>>
>> -bill
>>
>> On 10/14/22 3:23 PM, Alex Cohn via Outages wrote:
>>> I'm getting a "revoked" OCSP response for the cert currently used by
>>> paypal.com <http://paypal.com>, but a good response for www.paypal.com
>>> <http://www.paypal.com>. The naked domain is using OCSP stapling and
>>> is serving an older valid response, which is probably why it's still
>>> working even on browsers that are configured to check for certificate
>>> revocation.
>>>
>>> The two certificates are https://crt.sh/?id=7746738574 (revoked, used
>>> by paypal.com <http://paypal.com>) and https://crt.sh/?id=7754586913
>>> (valid, used by www.paypal.com <http://www.paypal.com>).
>>>
>>> -Alex
>>>
>>> On Fri, Oct 14, 2022 at 5:14 PM George Herbert via Outages
>>> <outages at outages.org> wrote:
>>>
>>> I get a good response now, with Produced At Oct 14 19:18:25 2022
>>>
>>> -george
>>>
>>> Sent from my iPhone
>>>
>>> > On Oct 14, 2022, at 2:43 PM, Chuck Anderson via Outages
>>> <outages at outages.org> wrote:
>>> >
>>> > Firefox says:
>>> >
>>> > Secure Connection Failed
>>> >
>>> > An error occurred during a connection to paypal.com
>>> <http://paypal.com>. Peer’s Certificate has been revoked.
>>> >
>>> > Error code: SEC_ERROR_REVOKED_CERTIFICATE
>>> >
>>> > OCSP checker says:
>>> >
>>> > https://www.certificatetools.com/ocsp-checker
>>> >
>>> > Domain Name(s) paypal.com <http://paypal.com>,
>>> paypal-workplace.com <http://paypal-workplace.com>,
>>> xoom-experience.com <http://xoom-experience.com>,
>>> buyindiaonline.com <http://buyindiaonline.com>,
>>> paypal-experience.com <http://paypal-experience.com>, xoom.com
>>> <http://xoom.com>, venmo-experience.com
>>> <http://venmo-experience.com>, sandbox.paypal.com
>>> <http://sandbox.paypal.com>, paypal.me <http://paypal.me>,
>>> cash2india.com <http://cash2india.com>
>>> > OCSP URI http://ocsp.digicert.com
>>> > Next Update Oct 21 18:12:02 2022 GMT
>>> > This Update Oct 14 18:57:02 2022 GMT
>>> > Cert Status revoked
>>> > Produced At Oct 14 19:13:05 2022 GMT
>>> > Response Type Basic OCSP Response
>>> > OCSP Response Status successful (0x0)
>>> > OpenSSL Command openssl ocsp -sha1 -issuer ca.crt -cert
>>> cert.crt -header host=ocsp.digicert.com <http://ocsp.digicert.com>
>>> -url http://ocsp.digicert.com -text -CAfile ca.crt -no_nonce
> _______________________________________________
> Outages-discussion mailing list
> Outages-discussion at outages.org
> https://puck.nether.net/mailman/listinfo/outages-discussion
More information about the Outages-discussion
mailing list